Which integrations are available for this server?

Supports payments to Cloudflare services through the runtime security layer, with Cloudflare included in the default approved vendor categories for transaction processing. Provides virtual card issuance via Stripe API as a payment provider option, enabling real payment processing for AI agent transactions.

npm version License: MIT Node.js

Point One Percent — pop-pay

The runtime security layer for AI agent commerce. Card credentials are injected directly into the browser DOM via CDP — they never enter the agent's context window. One hallucinated prompt can't drain a wallet it can't see.

Getting Started

1. Initialize the credential vault

npx -y pop-pay pop-init-vault

This encrypts your card credentials into ~/.config/pop-pay/vault.enc (AES-256-GCM). The MCP server decrypts automatically at startup.

For stronger protection (recommended — blocks agents with shell access):

npx -y pop-pay pop-init-vault --passphrase   # one-time setup
npx -y pop-pay pop-unlock                     # run once before each session

2. Add to your MCP client

Standard config for any MCP-compatible client:

{
  "mcpServers": {
    "pop-pay": {
      "command": "npx",
      "args": ["-y", "pop-pay", "launch-mcp"],
      "env": {
        "POP_CDP_URL": "http://localhost:9222"
      }
    }
  }
}

Claude Code uses its own CLI — the JSON config above is not needed.

claude mcp add --scope user pop-pay -- npx -y pop-pay launch-mcp

--scope user makes it available across all projects. To remove: claude mcp remove pop-pay

Add the JSON config above to:

Cursor: ~/.cursor/mcp.json
Windsurf: ~/.codeium/windsurf/mcp_config.json
VS Code (Copilot): .vscode/mcp.json in project root

OpenClaw has its own CLI — the JSON config above is not needed.

openclaw mcp add pop-pay -- npx -y pop-pay launch-mcp

Or add to ~/.openclaw/mcp_servers.json using the JSON config above.

For System Prompt templates and NemoClaw sandbox setup, see Integration Guide §4.

docker-compose up -d

Runs the MCP server + headless Chromium with CDP. Mount your encrypted vault from the host.

3. Launch Chrome with CDP and start using

npx -y pop-pay launch

Restart your MCP client. The agent now has access to pop-pay's MCP tools.

MCP Tools

Tool	Description
`request_virtual_card`	Issue a virtual card and inject credentials into the checkout page via CDP. Automatically scans the page for hidden prompt injections.
`request_purchaser_info`	Auto-fill billing/contact info (name, address, email, phone). Automatically scans the page for hidden prompt injections.
`request_x402_payment`	Pay for API calls via the x402 HTTP payment protocol.

Tip for Claude Code users: Add the following to your project's CLAUDE.md to help the agent know when to call pop-pay: "When you encounter a payment form or checkout page, use the request_virtual_card tool. For billing/contact info forms, use request_purchaser_info first."

Configuration

Core variables in ~/.config/pop-pay/.env. See ENV_REFERENCE.md for the full list.

Variable	Default	Description
`POP_ALLOWED_CATEGORIES`	`["aws","cloudflare"]`	Approved vendor categories — see Categories Cookbook
`POP_MAX_PER_TX`	`100.0`	Max USD per transaction
`POP_MAX_DAILY`	`500.0`	Max USD per day
`POP_BLOCK_LOOPS`	`true`	Block hallucination/retry loops
`POP_AUTO_INJECT`	`true`	Enable CDP card injection
`POP_GUARDRAIL_ENGINE`	`keyword`	`keyword` (zero-cost) or `llm` (semantic)

Guardrail Mode

	`keyword` (default)	`llm`
Mechanism	Keyword matching on reasoning string	Semantic analysis via LLM
Cost	Zero — no API calls	One LLM call per request
Best for	Development, low-risk workflows	Production, high-value transactions

To enable LLM mode, see Integration Guide §1.

Providers

Provider	Description
BYOC (default)	Bring Your Own Card — encrypted vault credentials, local CDP injection.
Stripe Issuing	Real virtual cards via Stripe API. Requires `POP_STRIPE_KEY`.
Lithic	Multi-issuer adapter (Stripe Issuing / Lithic).
Mock	Test mode with generated card numbers for development.

Priority: Stripe Issuing → BYOC Local → Mock.

Security

Layer	Defense
Context Isolation	Card credentials never enter the agent's context window or logs
Encrypted Vault	AES-256-GCM with XOR-split salt and native scrypt key derivation (Rust)
TOCTOU Guard	Domain verified at the moment of CDP injection — blocks redirect attacks
Repr Redaction	Automatic masking (`****-4242`) in all MCP responses, logs, and tracebacks

See THREAT_MODEL.md for the full STRIDE analysis and COMPLIANCE_FAQ.md for enterprise details.

Architecture

TypeScript — MCP server, CDP injection engine, guardrails, CLI
Rust (napi-rs) — Native security layer: XOR-split salt storage, scrypt key derivation
Node.js crypto — AES-256-GCM vault encryption (OpenSSL binding)
Chrome DevTools Protocol — Direct DOM injection via raw WebSocket

Documentation

Threat Model — STRIDE analysis, 5 security primitives, 10 attack scenarios
Guardrail Benchmark — 95% accuracy across 20 test scenarios
Compliance FAQ — PCI DSS, SOC 2, GDPR details
Environment Reference — All POP_* environment variables
Integration Guide — Setup for Claude Code, Node.js SDK, and browser agents
Categories Cookbook — POP_ALLOWED_CATEGORIES patterns and examples

License

MIT

This server cannot be installed

A

license - permissive license

-

quality - not tested

B

maintenance

How are these scores calculated?

Maintenance

–Maintainers

–Response time

0dRelease cycle

12Releases (12mo)

Resources

Need Help?

Related Servers

pop-pay